[FIXED] How to share .env with teams

Issue

I have a question about .env file. I know it is a file that contains secrets like API key and password. I also read that you should not commit it to VCS like GitHub. This is fine if I am working alone, but of course, I have team members. So, how should I share the file with someone in my team then? If a new developer joins, do I have to email .env to him/her?

Thank you for your help in advance :)

Solution

As you mentioned, it's not a good idea to store secrets in a repository. If you're discussing production secrets, then typically you don't want those on developer machines at all, and you can use some sort of secret store. For example, your CI system, such as Travis CI or GitHub Actions, will typically have a way to store secrets that you can use when deploying code. This will keep them in an encrypted state where they won't be exposed except when you're doing deploys.

Some other environments also use a more general secret store such as Vault. This is not only good for production, but can also be used to store development secrets (which should be different and have limited access). If you have a bastion or shell host that you use in production, you can grant developers access to the development secrets on that system, and use a script in your repository to automatically fetch them when setting up the repo. Then they'll be stored in a location that's secure, and if they need to be rotated, the developer can simply run the script to get new ones.

In general, you should be using some sort of secret store for these as much as possible, and be sure that users are fully authenticated (preferably using strong password and some sort of 2FA mechanism) before they can get access. If you do that, then sharing secrets becomes less burdensome because it's just a matter of provisioning access to the secret store.

Note that a .env file can also contain things that aren't secrets, like other environment variables that are needed to run, such as the type of environment (development or production). Those are fine to store in the repository, and if you need to mix secret and non-secret data, you can create a script which takes the development values from a template file and merges in the development secrets to create the .env. Be sure to mark the .env file as ignored in .gitignore so that users don't check it in accidentally.

Answered By - bk2204

Answer Checked By - Senaida (PHPFixing Volunteer)

Read More

[FIXED] How to build a p2p connection between 2 devices like torrent

Issue

I want to build a system with 2 or more devices. Devices in the system can send files to each other using p2p, not through the server (files to be sent are not uploaded to the server)

To clear, suppose my system has 2 PCs placed in 2 different places (not LAN network and no static ip), they can share files with each other via the internet without a server. I do not want shared files uploaded to the server (no time and memory required).

Of course my system will still have a server and a database that will store data and transfer some important information between the two devices via sockets.

I searched a lot on the internet, and all I found was around the torrent network. I don't know how to build a system like torrent.

I have not decided which language or framework I will use (Java, C#, Python, NodeJS). Any suggestions on tutorial, languages, libraries, frameworks are welcome.

Thanks all

Solution

Since you have a server, it's much easier.

1. Using your server to build a ICE structure to do NAT traversal

2. You may need some machines to release the pressure of server when finding other nodes, so LSD and DHT are both recommanded.

3. Using peer wire protocol to send files is really good.

There is an open source project libtorrent which may be useful for you. I think you can just use some part of it to realise your design. As for language, libtorrent is written by C++, but it's not really important.

Answered By - tyChen

Answer Checked By - Marilyn (PHPFixing Volunteer)

Read More